IoT Testing Methodology
IoT Device Security Testing
InfoMagnum engineers perform the security assessment on device physical interfaces to identify the security threats such as privilege escalation, IoT device exploitation, encryption keys and priorities the risk at device level to provide with actionable mitigation steps.
IoT Device Network Services Security Testing
InfoMagnum engineers test device network service in-depth to find the potential vulnerability in the network service such as reply attacks, lack of payload verification, Unencrypted Services, Various injections and provide with actionable mitigation recommendations.
IoT Device Application Security Testing
When security engineering team start with web / mobile interface security assessment we make sure that we uncover the critical software vulnerabilities and prepare the working POC to demonstrate weaknesses in the application with actionable recommendations for mitigation.
IoT Cloud Web Security Testing
InfoMagnum engineers perform the security testing on the cloud services which can be accessed externally. The cloud API which is used to interact with IoT devices, sensors. We prepare the actionable POC to demonstrate vulnerability and provide the working recommendations to mitigate the vulnerability.
Wireless Protocol Security Assessments
In the wireless protocol security assessment our security engineer perform security testing on wireless protocols used for the device communication. We extensively do research on Bluetooth LE, RF analysis, ZigBee, and 6LoWAPN. We also follow the minimum baseline standards for the device communication protocol.
Infrastructure Security Testing
InfoMagnum engineers will remotely identify the networks, hosts, and services that comprise the supporting network infrastructure of your Internet of Things product ecosystem. Vulnerabilities are identified, and if desired, exploited during a penetration test.
How we can help you to build secure IoT Device
- Full Stake Penetration Testing of your Internet of Things product – the device, how the device talks to your smart phone or the internet, the cloud services that hosts that data, websites or applications that talk to your device.
- PII data security review
- Code review – embedded code, remote procedure calls, mobile and web application code
- Evaluation of authentication, authorization and auditing structure
- Data security evaluation at rest and in motion
- Protocol communication review: REST, SOAP, RPC, etc
- Security evaluations databases and directories including queries, stored procedures, authentication and ACLs
- Reviewing privilege escalation attacks
- Reviewing cryptographic protection on applications and delivery mechanisms
- Reviewing application binary or packages for embedded passwords, keys, certificates
- Reviewing log handling, insecure storage, and caching / temp file issues.